Then in early November a researcher at Cornell University published a paper asserting that the virtual currency is broken -- that is, that the system of difficult algorithms that one must solve to obtain bitcoins might be successfully exploited by a group of sufficiently clever and selfish bitcoin miners.

Actually it was a pre-review print dumped into Arxiv that suggest combination of known attacks that are more expensive that suggested in that paper.

Next came the U.S. Senate hearings aimed at discovering whether these so-called crypto-currencies are a tool for drug dealers and money launderers to do business beyond official scrutiny.

As far as price movement goes the market for Bitcoins seemed to have responded to the hearings swimmingly.

And now, just in time for the holiday shopping season, comes the disclosure that the Bitcoin Internet Payment System -- or BIPS -- has been hacked. Customers lost the equivalent of about $1 million in bitcoins. Hacking BIPS isn’t like stealing from a virtual bank run by an Australian teenager. According to its website, BIPS is “the premier bitcoin service provider,” helping to facilitate bitcoin use even in the brick-and-mortar world.

What BIPS was operating was neither functionally nor morally different from what that Australian teenager was operating. Proclaiming to be the "premier Bitcoin service provider" and actually being such a thing are, well different things. Many "premier Bitcoin service providers" have enjoyed rather short lifespans. Especially ironic is that the "premier Bitcoin service" has on deposit only a quarter to a third on the number of coins the Australian teenager did.

...

Things get boring for a while and then we get a gem.

A principal knock on bitcoins has been the claim that they are inherently insecure. The principal defense has been that they are as secure as “real” currency. Both can be lost or stolen. And, as bitcoin supporters like to point out, most of the cases of hacking involve individuals who have followed poor password security procedures -- the sort of carelessness that would cause you equal trouble with your dollar-denominated online banking account. The trouble for the crypto-currencies is that being as safe as other forms of currency isn’t enough.

Which is a rather fair criticism concerning the ways in which many people use Bitcoins, but it is unrelated to the actual security of Bitcoins. At their simplest Bitcoins are nothing more than balances tied to an address, and those Bitcoins may only be spent by using a private key to sign a transaction that satisfies the conditions of the address. At the moment that almost always means the address is the hash of a public key from an ECDSA key pair and a valid transaction will include in the signature from the private key as well as the whole public key.1

In nearly all cases of Bitcoin thefts the mistake of the users had nothing to do with strong or weak passwords. It had to do with users who instead of holding their Bitcoins in a sane way entrusted a web service to hold on to Bitcoins in their name. As far as Bitcoin was concerned though, since the web services held the private keys those coins were effectively the web service's coins. That means that whether the web services operator is an Australian teenager or a "premier Bitcoin service" that when the web service makes a lapse in their security that the user's only preventative remedy could have been to never trust their coins in the care of that web service in the first place.

More on this last point can be here, where I took apart an announcement from BIPS on their hack. The one thing I would like to ask of media is to stop covering Bitcoin in a way that prejudices self proclaimed "premier Bitcoin services" over actual Bitcoin and actual things in Bitcoin. It does a horrible disservice to your readers to suggest that in any way BIPS was any less noobish, idiotic, or incompetent than the Australian teenager. They might get the wrong idea and think that they should trust BIPS with their coins should they ever reopen when in reality they should be banished into irrelevance, with their only legacy being another chapter in the lengthening book of different people who kept trying the same brain dead idea and failing.

The public key gets included in the signature so it can be tested against the address, which is just a one-way hash of the public key. On some level this protects Bitcoin balances against some forms of attack that if the form of ECDSA used were broken prevent addresses from having their private keys solved, provided those addresses had never spent their coins before. [↩]

This entry was posted
on Monday, December 2nd, 2013 at 11:48 p.m. and is filed under Uncategorized.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.